The exploit, released on the Internet last week, isn't for a flaw that Oracle patched, but for a new problem. Initially, experts believed it was for one of the patched vulnerabilities.

Intruders could still gain higher privileges on a system via the new flaw in the database's (DBMS) export extension--a component that has been a recurring source of problems, Litchfield wrote.

Other versions of 10g may also be affected, Symantec said in an alert to users of its DeepSight intelligence service.

"We strongly encourage database administrators to revoke public execute permissions for DBMS export extension until an adequate vendor-supplied patch is available for this issue," the security company advised.

Oracle was not available for comment.

Litchfield expressed frustration at Oracle's response to the problem in Oracle 10g Release 2. "This specific flaw was reported to Oracle on the 19th of February 2006," Litchfield wrote.

He went on to give details of other problems related to the issue, which he said Oracle had tried, but failed, to remedy since he first reported them in April 2004.

Security researchers have criticized Oracle for being slow to patch and for not working well with them to fix security holes. In response, Mary Ann Davidson, the business software maker's chief security officer, has said that researchers themselves can be a stumbling block to product security.

Report offensive content:

If you believe this comment is offensive or violates the CNET's Site Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

E-mail this comment to a friend.

E-mail this to:

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.